COVID Surveillance Part 2: Mobile Phone Location
Posted by ekr on 06 May 2020
This post originally appeared on the Mozilla Blog
Previously I wrote about the use of mobile apps for COVID contact tracing. This idea gotten a lot of attention in the tech press -- probably because there are some quite interesting privacy issues -- but there is another approach to monitoring people's locations using their devices that has already been used in Taiwan and Israel, namely mobile phone location data. While this isn't something that people think about a lot, your mobile phone has to be in constant contact with the mobile system and the system can use that information to determine your location. Mobile phones already use network-based location to provide emergency location services and for what's called assisted GPS, in which mobile-tower based location is used along with satellite-based GPS, but it can, of course, be used for services the user might be less excited about, such as real-time surveillance of their location. In addition to measurements taken from the tower, a number of mobile services share location history with service providers, for instance to provide directions in mapping applications or as part of your Google account.
If what you are trying to do is get as much of COVID surveillance as possible, this kind of data has several big advantages over mobile phone apps. First, it's already being collected, so you don't need to get anyone to install an app. Second, it's extremely detailed because it has everyone's location and not just who they have been in contact with. The primary disadvantage of mobile phone location data is accuracy; in some absolute sense, assisted GPS is amazingly accurate, especially to those old enough to remember when handheld GPS was barely a thing, but generally we're talking about accuracies to the scale of meters to tens of meters, which is not good enough to tell whether you have been in close contact with someone. This is still useful enough for many applications and we're seeing this kind of data used for a number of anti-COVID purposes such as detecting people crowding in a given location, determining when people have broken quarantine and measuring bulk movements.
But of course, all of this is only possible because everyone is already carrying around a tracking device in their pocket all the time and they don't even think about it. These systems just routinely log information about your location whether you downloaded some app or not, and it's just a limitation of the current technology that that information isn't precise down to the meter (and this kind of positioning technology has gotten better over time because precise localization of mobile devices is key to getting good performance). By contrast, nearly all of the designs for mobile contact tracing explicitly prioritize privacy. Even the centralized designs like BlueTrace that have the weakest privacy properties still go out of their way to avoid leaking information, mostly by not collecting it. So, for instance, if you test positive BlueTrace tells the government who you have been in contact with, if you aren't exposed to Coronavirus the government doesn't learn much about you.
The important distinction to draw here is between policy controls to protect privacy and technical controls to protect privacy. Although the mobile network gets to collect a huge amount of data on you, this data is to some extent protected by policy: laws, regulations, and corporate commitments constraining how that data can be used and you have to trust that those policies will be followed. By contrast, the privacy protections in the various COVID-19 contact tracing apps are largely technical: they don't rely on trusting the health authority to behave properly because the health authority doesn't have the information in its hands in the first place. Another way to think about this is that technical controls are "rigid" in that they don't depend on human discretion: this is obviously an advantage for users who don't want to have to trust government, big tech companies, etc. but it's also a disadvantage in that it makes it difficult to respond to new circumstances. For instance, Google was able to quickly take mobility measurements using stored location history because people were already sharing that with them, but the new Apple/Google contact tracing will require people to download new software and maybe opt-in, which can be slow and result in low uptake.
The point here isn't to argue that one type of control is necessarily better or worse than another. In fact, it's quite common to have systems which depend on a mix of these. However, when you are trying to evaluate the privacy and security properties of a system, you need to keep this distinction firmly in mind: every policy control depends on someone or a set of someones behaving correctly, and therefore either requires that you trust them to do so or have some mechanism for ensuring that they in fact are.
Except that whenever you contact the government servers for new TempIDs it learns something about your current location. ↩︎
For instance, the United States Supreme Court recently ruled that the government requires a warrant to get mobile phone location records. ↩︎
For instance, the Web certificate system, which but relies extensively on procedural but is increasingly backed up by technical safeguards such as Certificate Transparency. ↩︎